Gen Y is Hardening Stance against Corporate BYOD/Bring-Your-Own-Cloud Policies


For everyone with passion about enterprise security, the growing terms “IT Anarchy” and “Shadow IT” have become all too familiar. For the uninitiated, these terms apply to two immutable trends:

  • The proliferation of Bring Your Own Device (BYOD) usage by all enterprise IT users and their desire to use applications and third-party cloud-based capabilities.
  • The behavior of aforementioned users to make use of these capabilities whether they are sanctioned by IT or not.

The latter is particularly troubling because the increase in unauthorized use means IT’s ability to manage corporate risks in the face of the exponential explosion of vectors of vulnerability is significantly and possibly catastrophically compromised. 

There is a massive tug-of-war going on. Companies, sometimes grudgingly, are trying to strike a balance between enabling employees to leverage all of the value BYOD devices accessing capabilities and content yet do so in a manner that is safe and secure. The security industry is working furiously to help IT meet the challenges of increased vulnerability in an environment where visibility into what is going on is problematic, making the creation and enforcement of safe practices difficult at best. However, users are impatient and have taken matters into their own hands. They don’t want to wait and they don’t trust IT to act in the users interests. That is why the term “anarchy” resonates as a description.       

The shadow of “shadow IT” looms large with Gen Y

What makes this situation confounding is that despite IT and security vendor efforts to address the problems, security solutions provider Fortinet’s just released, The Fortinet Internet Security Census 2013, indicates that things are getting dicey. In fact, with the critical age group now increasingly populating most enterprises, Generation Y, one could almost say we have reached crisis proportions in regard to their disdain and lack of trust in IT. This should serve as a major call to action.

Based on findings from an independent 20-country survey of 3,200 employees aged 21-32 conducted during October 2013, the research showed a 42 percent increase in the willingness to break usage rules compared to a similar survey conducted last year. The new research also describes the extent to which Generation Y have been victims of cybercrime on their own devices, their ‘threat literacy’ and their widespread practice for storing corporate assets on personal cloud accounts.

There is a lot to mull over in the key findings.

Strong Trend of Contravention: Despite respondents’ positivity about their employers’ provisions for BYOD policy, with 45 percent agreeing this ‘empowers’ them, 51 percent stated they would contravene any policy in place banning the use of personal devices at work or for work purposes.

As the authors note, “This alarming propensity to ignore measures designed to protect employer and employee alike carries through into other areas of personal IT usage.” For example, 36 percent of respondents using their own personal cloud storage (e.g. DropBox) accounts for work purposes said they would break any rules brought in to stop them. 

image via

In addition, when asked about emerging technologies like Google Glass and smart watches 48 percent would contravene any policy brought in to curb use of these at work. This is important based on Gen Y’s views that wearable tech is likely to become widespread at work or for work purposes soon. Indeed, 16 percent said ‘immediately’ and another 33 percent stated it will happen when costs come down. Only eight percent of the respondents disagreed that the technologies would become widespread.

Widespread Use of Personal Cloud Accounts for Sensitive Corporate Data: 89 percent of the sample has a personal account for at least one cloud storage service. DropBox led with 38 percent, and 70 percent of personal account holders have used their accounts for work purposes. In addition, 12 percent of this group admits to storing work passwords using these accounts, 16 percent financial information, 22 percent critical private documents like contracts/business plans, and 33 percent store customer data.

Interestingly, 32 percent of the cloud storage users sampled stated they fully trust the cloud for storing their personal data, with only 6 percent cited an aversion through lack of trust. In other words, cloud trust is approaching the declining IT trust numbers.

Threat literacy required as survey reveals attacks really do happen: When asked about devices ever being compromised and the resulting impact, over 55 percent indicated an attack on personally owned PCs or laptops, with around half of these impacting on productivity and/or loss of personal and/or corporate data.

A possible silver lining, which may be temporal, was that attacks were far less frequent on smartphones 19 percent with a slightly higher proportion resulting in loss of data and/or loss of work productivity than on PCs/laptops, despite the sample reporting a higher level of ownership of smartphones than for laptops and PCs. The same percentage was observed for tablets (19 percent), but with greater consequences, since 61 percent of those attacks resulted in significant impact. This is indicative, probably, of how tablets are used and by whom since many managers (Gen Y is moving up the ranks) now cannot live without them and as other research has shown they have a higher than average proclivity to contravene corporate policies and rules regarding best practices for access apps and content.

Don’t ask and don’t tell

Among one of the worrying findings of the research, 14 percent of respondents said they would not tell an employer if a personal device they used for work purposes became compromised.

The research examined ‘literacy levels’ for different types of security threat. Here too the results were illuminating if contradictory revealing two opposing extremes, “ignorance” and “enlightenment.” The gap between the two was an average of 27 percent with minimal awareness.

Showing how far enterprises need to go in educating their users, when questioned on threats like APTs, DDoS, Botnets and Pharming, up to 52 percent appear completely uneducated.

Another somewhat good news finding was the survey revealing a correlation between BYOD usage and threat literacy. It seems that the more frequent the BYOD habit the better a respondent’s understanding of threats. As the authors note, “This represents a positive finding for organizations when considering if/when to bring policies in alongside training on the risks.”

“This year’s research reveals the issues faced by organizations when attempting to enforce policies around BYOD, cloud application usage and soon the adoption of new connected technologies,” said John Maddison, vice president of marketing for Fortinet. “The study highlights the greater challenge IT managers face when it comes to knowing where corporate data resides and how it is being accessed. There is now more than ever a requirement for security intelligence to be implemented at the network level in order to enable control of user activity based on devices, applications being used and locations.”

“It’s worrying to see policy contravention so high and so sharply on the rise, as well as the high instances of Generation Y users being victims of cybercrime,” continued Maddison. “On the positive side, however, 88 percent of the respondents accept that they have an obligation to understand the security risks posed by using their own devices. Educating employees on the threat landscape and its possible impact is another key aspect for ensuring an organization’s IT security.”

It is unfortunately obvious what flows from these findings. The workforce is changing demographically, and expectations of those who are digitally adept about what they can and will use need to be modified within the context of what IT needs and should have control over. This is arguably the biggest challenge IT faces today as it architects the enterprise ICT environment of the future. As we all know trust is hard to earn, easy to lose and difficult to get back. We all may feel entitled to use our devices and apps as we see fit, but boundaries need to be established and trust restored to avoid the consequences of bad actors doing very bad things.

Edited by Ryan Sartor
Related Articles

Coding and Invention Made Fun

By: Special Guest    10/12/2018

SAM is a series of kits that integrates hardware and software with the Internet. Combining wireless building blocks composed of sensors and actors con…

Read More

Facebook Marketplace Now Leverages AI

By: Paula Bernier    10/3/2018

Artificial intelligence is changing the way businesses interact with customers. Facebook's announcement this week is just another example of how this …

Read More

Oct. 17 Webinar to Address Apache Spark Benefits, Tools

By: Paula Bernier    10/2/2018

In the upcoming webinar "Apache Spark: The New Enterprise Backbone for ETL, Batch and Real-time Streaming," industry experts will offer details on clo…

Read More

It's Black and White: Cybercriminals Are Spending 10x More Than Enterprises to Control, Disrupt and Steal

By: Cynthia S. Artin    9/26/2018

In a stunning new report by Carbon Black, "Hacking, Escalating Attacks and The Role of Threat Hunting" the company revealed that 92% of UK companies s…

Read More

6 Challenges of 5G, and the 9 Pillars of Assurance Strategy

By: Special Guest    9/17/2018

To make 5G possible, everything will change. The 5G network will involve new antennas and chipsets, new architectures, new KPIs, new vendors, cloud di…

Read More